AC
Anasayfa Makaleler

KVKK Data Breach 72 Hour Notification: Practical Guide for the Company

TL;DR

KVKK m.12/5 veri ihlalinde "en kısa süre içinde" bildirim zorunlu; Kurul 72 saat ölçütünü uyguluyor. Bildirim yapılmazsa veya geç yapılırsa idari para cezası katlanır.

15 Şubat 2026 3 dk okuma 11 görüntülenme Son güncelleme: 9 Mayıs 2026

The first 72 hours are critical when a data breach occurs. KVKK notification + communication + investigation plan should be carried out in parallel; Notification delay alone is an aggravating factor.

Which event is considered a "violation"?

  • Unauthorized access (hacking, employee abuse).
  • Data leak (Pastebin, dark web feed).
  • Email (bulk) to wrong address.
  • Unencrypted device theft.
  • Leakage from third party (subprocessor).
  • Data display to wrong person due to system error.

First 72 hours — steps

  • 0-2 hours: Incident report; technical response team (CISO + Legal + Communications).
  • 2-12 hours: Impact analysis; how many people, what categories (health, finance), risk level.
  • 12-24 hours: Draft notification to aggrieved data subjects; site announcement preparation.
  • 24-48 hours: Notification form to KVKK (kişiselverilerikoruma.gov.tr).
  • 48-72 hours: Official notification to data subjects + opening a communication line.
  • 72+ hours: Forensic report, prosecutor's complaint (against attacker), remediation plan.

    • Notification form content

    • The nature and category of the violation.
    • Date of incident and date of realization.
    • Number of people affected and data categories.
    • Possible consequences (financial loss, identity theft, etc.).
    • Measures taken/to be taken.
    • Contact person.

    Administrative fine criteria

    • Type of violation (organized attack vs. negligence).
    • Compliance with the notice period.
    • Number of people affected.
    • Scale (SME vs large company).
    • Previous KVKK records.
    • Maximum 5 million TL (after 2025 update).

    Frequently asked questions

    72 hours have passed, we still haven't reported it; what should we do?

    Report immediately + provide justification (analysis process took time, impact was unclear). Late notification is aggravating; but less than not reporting at all.

    Should we definitely notify the victims?

    Compulsory if there is a "high risk" (KVKK article 12/5 + Board Decision 2019/271). If the risk is low, Board guidance may be sought; but transparency is generally in our favor.

    The attack is external, it is not our fault; Will we be punished?

    "Data security obligation" was introduced by KVKK article 12/1; Even if the attack is external, the question is asked whether adequate precautions were taken. Documents such as pen-test, ISO 27001, log management are critical in defense.

    Can a lawsuit be filed for compensation?

    Yes, the data owner may request compensation in accordance with Article 14 of the KVKK. The spiritual range of 5,000-50,000 TL is common; Lump-sum compensation (e.g. if 100K people are affected) could go into the millions.

    Is GDPR triggered too?

    Yes, if the EU data subject is affected; GDPR Art. 33 — Notification to the relevant data protection authority (DPA) within 72 hours. Turkish KVKK + EU DPA parallel notification required; Both institutions may impose their own fines.

    Relevant legislation

    • KVKK no. 6698 article 12 — Data security obligation; notice of violation (art.12/5).
    • KVKK no. 6698 article 14 ��� Right to compensation.
    • KVKK no. 6698 article 18 — Administrative fine (up to 5 million TL).
    • GDPR Art. 33-34 — 72-hour infringement notification on EU cross-border transfer.
    • TCK art.135-136 — Unlawful recording/dissemination of personal data.
    Legal notice: This article is for general information purposes; A meeting with a lawyer is required for a concrete case. Durations, rates and practice are shaped by jurisprudence; Check the current legislation before applying.

    Kaynaklar ve referanslar

    Kaynaklar

    KVKK Veri İhlali 72 Saat Bildirim: Şirket için Pratik Rehber içeriği hazırlanırken resmi mevzuat ve yüksek yargı kaynakları esas alınmıştır.

    Telif bildirimi This content and all related Q&A texts are protected under Turkish Copyright Law No. 5846. Unauthorized copying, reproduction, publication, adaptation, bulk extraction, or commercial use is prohibited; legal and criminal remedies are reserved in case of infringement.

    Hukuki destek arıyorsanız

    Bu konuda profesyonel hukuki destek için Aycan Ceylan Avukatlık Bürosu olarak yanınızdayız.

    Görüşme Planla